SophosLabs has asked us to remind you about a destructive malware threat that calls itself CryptoLocker.

Sophos Anti-Virus detects it by the name Troj/Ransom-ACP, because that’s exactly what it does: holds your files to ransom.

Demanding money with menaces

Malware that encrypts your data and tries to sell it back to you, or else, is not new.

In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989.

That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.

The perpetrator, one Dr Joseph Popp, was tracked down in the USA, extradited to the UK to stand trial, displayed increasingly shambolic behaviour, and was ultimately kicked out of Britain and never convicted.

Fortunately, his malware was similarly shambolic: it used simplistic encryption algorithms, and every computer was scrambled in the same way, so free tools for cleanup and recovery soon became available.

Sadly, the crooks behind the CryptoLocker malware haven’t made the same coding mistakes.

The malware seems to do its cryptography by the book, so there is no way to recover your scrambled files once it has triggered. (You could, I suppose, try paying the ransom, but I recommend that you do not.)

What CryptoLocker does

When the malware runs, it proceeds as follows:

1. CryptoLocker installs itself into your DocumentsandSettings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.

3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.

4. Once it has found a server that it can reach, it uploads a small file that you can think of as your “CryptoLocker ID.”

5. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer.

→ Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them. You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.

6. The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets.

→ Note that the malware searches for files to encrypt on all drives and in all folders it can access from your computer, including workgroup files shared by your colleagues, resources on your company servers, and possibly more. The more privileged your account, the worse the overall damage will be.

7. The malware then pops up a “pay page,” giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. (The price point is suprisingly similar to what it was back in 1989.)

→ With the private key, you can recover your files. Allegedly. We haven’t tried buying anything back, not least because we know we’d be trading with crooks.

What we have seen

SophosLabs has received a large number of scrambled documents via the Sophos sample submission system.

These have come from people who are keenly hoping that there’s a flaw in the CryptoLocker encryption, and that we can help them get their files back.

But as far as we can see, there’s no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble.

In the clumsy but categorical words of the criminals themselves:

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.

And that’s why SophosLabs wanted us to write this article, since they’re faced with the sad job of telling the victims that their files are as good as deleted.

The endgame is the same in all cases: if you have a reliable and recent backup, you’ll have a good chance of recovering without too much trouble.

Prevention, in this case, is significantly better than cure:

Stay patched. Keep your operating system and software up to date.

Make sure your anti-virus is active and up to date.

Avoid opening attachments you weren’t expecting, or from people you don’t know well.

Make regular backups, and store them somewhere safe, preferably offline.

Don’t forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don’t count as backup.

They may be extremely useful, but they tend to propagate errors rather than to defend against them.

To the synchroniser, a document on your local drive that has just been scrambled by CryptoLocker is the most recent version, and that’s that.

Further information

For advice on how to improve your security against this sort of threat in future, we’ve prepared a guide to prevention, cleanup and recovery. (The guide also features a fascinating video of the malware in action.)

For information on how to access our support knowledgebase, our sample submission system, and how to find us on the IT social business network Spiceworks, please see this article on the Sophos corporate blog.

Post navigation

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Follow him on Twitter: @duckblog

126 comments on “Destructive malware “CryptoLocker” on the loose – here’s what to do”

Assume you were infected with a variant of this stuff that you'd heard on the grapevine did neatly clean up after you paid the crooks (just to get some "good reviews" out there amongst previousvictims)…

…are you going to trust these guys that it'll turn out that way on your computer :-)

“Assume you were infected with […] this stuff that you’d heard […] did neatly clean up after you paid the crooks […] are you going to trust these guys that it’ll turn out that way on your computer :-) ”

i don’t have $300 but if i did, i would. it’s not a matter of trust–what choice is there? i mean, i assume we’re talking about irretrievable, sensitive or otherwise-important, data. unless you’d rather wait for a mathematical/cryptological breakthrough, it’s a no-brainer. also, assuming they’d sent the private keys to previous victims already, why would they arbitrarily stop? they’re making money and increasing faith (even further) in victims that, while they may not like what’s happened to them, the only solution offered is–at least–legit.

the simplest way for the average user to protect themselves imo is to buy a 1tb external drive (or as large as their budget allows) and get comfortable with *data* backups. sometimes, these articles only cater to technical people who are already practicing some level of information assurance.

i think hyping people to stay up-to-date on everything is what makes non-technical users susceptible to legitimate-looking popups scaring them into “updating” some software package or operating system because they don’t know what they’re doing. i don’t even have an anti-virus program and have never fallen victim to a virus. i could get attacked, yes, but given that i know several techies that have fallen prey to malware (quite a few times) in their lifetimes, how you use your system, and how paranoid you are, is more important than the latest virus definitions since good malware writers are not using a 3-year-old well-known signature.

one question then i’m gone (sorry for the long post): which is safer? an up-to-date windows 7/8 or an ancient windows xp sp1? malware writers, whether for fun or gain, target systems that have big footprints that will give them a big impact so users need to think practically instead of having simplistic assumptions about having the latest software. i don’t even update my software anymore if the changes are not material to me.

I am interested in your assertion that you have never fallen victim to a virus – even if you have anti-virus software that’s hard claim to back up.

Modern malware is for the most part trying to avoid detection and be as stealthy as possible – the criminals want it sat on your computer for as long as possible so they can log your keystrokes, mine bitcoins or relay spam. Cryptolocker is very much the noisy exception.

Also it doesn’t just arrive in dodgy emails – an awful lot of malware gets distributed via legitimate but compromised websites. You cannot simply avoid ‘likely’ websites. And the websites that get compromised… you guessed it, they’re often the ones that don’t keep their software up to date. Once a vulnerability is found in a common content management system or plugin criminals can scan the *entire* web looking for vulnerable machines.

And good malware writers may not be using 3 year old signatures but the 3 year old malware hasn’t gone away. So long as it can find a foothold it spreads and it often continues to be successful (Conficker is a good example of this) precisely because people don’t patch their systems.

i’m responding to mark stockley but i don’t see a reply button on his comment so this might not nest properly.

“I am interested in your assertion that you have never fallen victim to a virus…”

to be unambiguous, i meant that i’ve never had malware that deleted my files/did a low-level format/encrypted my files/made my system unstable or any of the things that really make people mad about malware. i have had adware or minor things like that, but even then, it’s because back then, i used to use ‘free’ software knowing that they bundled it with some other products and i often did not have a choice or was too lazy.

it’s possible that i have a keylogger (especially in the current state of affairs) or software using my spare cpu cycles to mine bitcoins, i guess, but whether that’s not the case is not worth going into here.

yes, you can. *you* (and some others) might not be able to, but i do not use the internet like other people. for one, i do not really browse. when i hit the net, there are very few sites that i go to and they’re ones which place high value on reputation (security, content etc.) even more than anything else. also, i turn *everything* on my browser off (javascript, images, cookies, plugins etc.) and only turn cookies on for a few minutes while i check my basic html mail.

should everyone do this? no, but i’m telling you that that’s how i use my system but i can (and do) go even further and use sandboxed or VMed browsers but i won’t get into all the ways that i try to protect my system. i just want to impress upon you that richard stallman is not the only paranoid person in the world and there are people who do employ a high-level of checks and balances without losing productivity. i even manage to have a life, strangely.

“[T]he websites that get compromised… you guessed it, they’re often the ones that don’t keep their software up to date”

i never said “never update”. i said i do not update if the changes do not matter in my case. that’s what the information on the updates is for: does it apply to me? and to quote what i said:

“i don’t even update my software anymore *if the changes are not material to me* ”

obviously, security and stability matter (to pick two examples) and i pay attention to those. also, server admins are not non-technical users so they would know what they’re doing. notice that i was referring to the susceptibility of non-techies:

clearly, administrators are not making decisions in the same way and they have other considerations that may not allow them to apply patches immediately e.g. see the rails security that happened in the beginning of the year. patches can be buggy, and some people are not able to just apply them (even if they’re not buggy) because the patches can render certain features that third party developers had used to build necessary applications (that are no longer actively developed) useless, and the current applications therefore, useless.

some people shoot themselves in the foot updating without making such considerations.

“I’ll let Paul answer your final question…Please see [link] ”

i’m not sure how much i should respond to paul here since he admits:

“[…] I have still to finish reading the report in full…I just haven’t got through it yet”

lemme start with the statistics which i don’t like but i must play the game.

“[…] XP is more than five times as permeable to malware than Windows 8”

xp (31.22%) is also used 5 times as much as windows 8 (6.66%) although that probably means nothing in that context. if windows 8.1 is (statistically) secure now (i.e. the *rate* of infections is lower), it still might not mean what we think it means in terms of security because the high-severity vulnerabilities/malware are the ones that matter. according to that report, medium vulnerabilities account for the majority (52.9%) so xp is probably taking more than its fair share of those, not because it’s more insecure, but the kiddies are intimately familiar with it.

paul and i appear to agree on something (which was actually the point that i was clumsily trying to get across on the last paragraph of my previous comment):

paul: “The most common platform, you can argue, is more likely to be singled out by malware writers…”

to conclude, there’s no question — i concede — that software gets more secure relative to older software that it replaces (on average, anyway) but so does the software to undo that security. the gap between secure and insecure is best increased, in my opinion, by changing behaviour and usage.

I found this article while trying to a copy of the source to this malware to try to reverse engineer a key to decrypt. This guy PAID the ransom and the “key server” belonging to the crooks is no longer online. He is out the $300 AND all the data.

Do NOT pay ransom. You are just funding the creation of even worse ransomware in the future.

The malware itself is pretty easy to delete. Any decent AV will remove if after a scan.
But once removed, there is NO way of ever recovering the files, as the encryption-key will be removed and any other data the crooks use to retrieve the decryption key after you've paid.

No matter what, if you've paid to decrypt your files or you're giving up, clean your whole pc and start over with a fresh install of you OS.
Be sure to format everything that could contain even a part of the virus: MBR, register, RAM (remove all power sources), …

That wouldn't be necessary. This is a simple application that encrypts files? It's not a RootKit. This is an application that runs, usually placed in your App Data folder on Windows 7. You would just need to delete this file to prevent the software from running again. Then cleanup the folders and search the registry for the name of the application. After that check your LMHOST file for any unique entries. Then your done. As far as files go, there's a way around anything. I'll be looking into this further and deving something up and attempting to get that pc infected and see what I can dig up. Monitoring your TCP/IP Connections during the infection would be key. The last thing anyone has probably attempted was to hack into the guys server and see if they can get the Private keys out of there. I'm sure this person is great at software development, but having a secure server? I doubt it.

I own a Mac and received two pop-up “Crypto” demands. In the first case, about a month ago, it appeared to do nothing. I was able to reboot with no problem and have had no issues with my machine. Then just yesterday, another that locked Safari. I shut the machine off manually and when it rebooted there were again no apparent effects. It appears completely normal. Is it possible the machine is “infected” in some way without my knowledge? All of my files are backed up so should I re-format my harddrive with the Apple disc? I am not a techi so be nice! I am using my work computer for this forum.

I run a mac with Parallels running Windows XP. I got hit today. Any files on the mac desktop became locked, including, unfortunately my 500Gb external that was plugged in via USB. I think that is due to any desktop files also are shown on the Windows desktop. Any files on the mac ‘Macintosh HD’ (if you see what I mean), were un-affected.

I uninstalled Parallels and dumped the files. Annoying but for me, not the end of the world as it was just my home mac, now if it had been the office, whoa, big problem!

It also affected all .psd photoshop files, but I actually think that is where it snuck in, in a .psd sent by a client.

Be careful with file sharing, whether it’s over a network, a USB cable or via a virtualisation solution!

When I mix the OS X and Windows ecosystems (I use VirtualBox to run Windows on OS X) I only ever share my OS X home directory into the Windows VM “read only.” If I want to export stuff from Windows, I mount a single directory in ~/Temp to use as a dumping ground. Just in case.

The only “crypto” I’ve seen on the Mac is a Javascript version running in browser. It generates 150 consecutive popup menu windows to create the impression you really are locked. You can get around it.

Unless you ok installation of software whose author you don’t know (perhaps mistaking malware for a legitimate product like Adobe Flash…always check the full domain of a site before downloading), you are very unlikely to get a real virus on the Mac.

To be safe, only get applications from the App Store (which is a curated application environment closely monitored by Apple.

One problem to bear in mind about the App Store: software accepted for inclusion isn’t allowed to have components that integrate with the operating system itself, such as kernel drivers.

That means no features like file filtering, which is pretty much a necessity for a proper anti-virus program. Just *finding* viruses is not enough – you need to be able to block access to infected files, if you want effective protection.

In short: any anti-virus in the App Store almost certainly has no “on access” (also known as “real time”) component, can’t do virus prevention, and should therefore be avoided.

(In case you’re wondering why our free Mac Anti-Virus is available from the Sophos website but not from the App Store…)

Does it really matter? Even if you can feel all warm and fussy knowing your safe from this right now, do you really think that means no one will ever write it for a mac? Your much better off protecting against it now than you are waiting. You never know, you might be the "lucky" one who is the first to see the mac variant, and by then it is too late.

Given that CryptoLocker traverses network drives, no data is safe near it – mac, linux or windows. Easiest scenario is that someone with an infected windows box is on a network where a mac writable file share is present.

This raises a good point about Mac OS X (or iOS or any OS) security. If you give someone write permission to the drive that contains the OS you open yourself to the possibility that a malware author *could* have written in code to detect this scenario and use the vulnerability to insert malware into an otherwise secure Mac OS X drive.

Not to brag… But if you would be using a Mac, local files would be easily retrievable using Time Machine, Mac’s backup service. So, even if the virus did exist for Macs (which it does not seem to), destruction would be much less and system restore would be a snap.

There are many good reasons to buy a Mac but please, please don’t buy one because you think it or Time Machine offers some magical level of protection against a theoretical future Mac version of Cryptolocker.

I am a dyed-in-the-wool Mac enthusiast and advocate Mac OS X and iOS for better data security, but Mark is spot on. There was a report from a researcher in Australia that their client was using a similar incremental backup system (Windows based, but a similar approach to Time Machine). Because the encryption caused so many bit-level changes to the drive the software made fresh backups of everything and deleted old backups to make room for the new corrupted files. You would get the same effect with Time Machine where oldest backups are deleted once drive becomes full (unless you had a drive big enough to hold both the old uncorrupted copy of all files AND the new locked ones). I just glanced at the Time Machine control panel and thought that option could be turned off but didn’t see the check box.

The best defense is to make multiple backups, and to have backups not connected to the machine whose contents you are trying to protect. You could do this with Time Machine on the Mac (which I recommend since it allows you to restore your machine from backup to the point where the windows will even open up as you had them at the time you performed the backup). To do so you would periodically attach an additional backup drive (have separate drives for daily, weekly, monthly backups, and unmount them and disconnect them safely after the backups are complete), configure Time Machine to perform a complete backup to that drive.

The best defense on ANY system is redundancy (multiple copies of mission critical data), and storing the backups in multiple locations NOT connected in any way to the network. If you building burns down, you don’t want all your backups in that building. If your network is compromised you don’t want all your data to be likewise vulnerable. Connecting computers creates convenience but it also creates risk.

MACs are known to be vulnerable to this sort of malware, so the fact that an unexpected dialog appears should be a warning. So take the sensible steps suggested no matter what OS you use. Personally I do not and would not use any cloud service either as they can be vulnerable. (Personally I see no benefits to me in using the cloud!)

There’s quite a voluminous thread building over at Bleeping Computer Forums – up to 46 pages @ last check – indicating that quite a few folks are actually paying the ransom (due to an unfortunately-too-typical disdain for proper backup procedures, no doubt); CriLock has also dominated the Patch Management List conversations over the last six weeks, with many of the professionals amongst the membership recommending the blocking of any and all .zip file actions, apparently. IMHO, Software Restriction Policies preventing executables from running in AppData/Roaming appear to be the best palliative at this point, despite the impact that can have on legitimate programs whose developers have chosen that location from which to run.

Its just happened to my mams laptop, she has lost everything from pictures, documents and videos. It came up you have 72 hours to pay, it went away then came back the next day : Don't have a clue how to sort it out.

No. Kasperksy looks for viruses, it doesn't decrypt encrypted data.
Consider this a life lesson on doing proper backups on your system data.
Wipe your hard drive, reload the OS, reinstall your programs and retrieve your program's data from your backup.
If you didn't backup then you are screwed. Much better now to take the ransom money that you would have paid to the hacker and buy a good USB 3.0 backup drive with it. Then USE it.
If something is worth storing on your computer then it's worth backing up.

Firstly they dont charge your card directly they ask you to pay via a third party (similar to paypal), so at no time do they actually get you card details.

Secondly, if you pay it, get your private key then phone up your card company (providing you use a credit card) and advise you didn't receive the goods you paid for, the amount will be refunded and you walk away with an unlocked machine costing you nothing but a phone call!

So please everyone stop making a fuss over nothing, secondly, if this was a real issue with the power of cloud computing which can break SSL and WPA2, it wouldnt take more than a day or two's computing time to crack the private key anyway, so why doesnt someone do this and charge people $50 a time, and make the money rather than the hackers….

James is both right and wrong here – as a previous commenter noted, the ransomware example above expects you to pay with Bitcoins (a sort of digital cash) or via a MoneyPak (effectively a disposable credit card).

So they don't get *your* card details. They just get some of your money.

But it isn't "a day or two's computing time" to crack each private key, as far I can see. All the power of the cloud *can't* break SSL or WPA2, at least not in any routine and general way.

He is also wrong due to the fact the credit card company will not honor the fraud claim since a victim *WOULD* receive the MoneyPak that was purchased. What the victim does with the MoneyPak is not the credit card companies problem.

Encryption used By this malware is RSA 2048. Good Luck paying a guy $50 to generate the private key. Let me know how you get on :). I believe at the current processing rates and cracking trends RSA 2048 bit encryption will be trusted up to about at least 2030.

The malware runs with the same permissions and powers as any program you launch willingly.

So if there's a file you could locate and access with, say, Windows Explorer (whether on your own hard disk, USB key, network share, cloud storage vault magically turned into a drive letter by special software driver)…

…then the malware could locate it too.

If you have write access to it, so does the malware.

PS. It isn't a virus, so it doesn't copy itself over the network and *infect* other computers. But it can *affect* them.

It won't decrypt the files, since only the crooks can do that. But it will sort out the malware, and indeed any other malware you might have (some people are getting CryptoLocker as a side-effect of *already having some other malware* on their computer).

Cryptolocker targets all accessible shares, so while a Mac may not be directly targeted if an infected system has access to a file share, or the Mac accesses file shares on the infected system, those files are subject to destructive encryption.

Several people in large infrastructures have attested that paying the piper does result in decryption of files, however, this is a bad president to set.

I have been in discussion with a few AV/Security research vendors for what I believe to be a critical flaw in the virus' design.

I have obtained copies of the virus to work from, and will be running testing on my personal VLab in the near future, but lack the sophistication and horsepower of security firms.

This isn't *your* private key. The crooks generate a public/private key pair on demand, send you the public key and keep the private key on their own server. You never have a copy of the private key to kkep.

Therefore, after you have unknowingly locked your own data, only they can unlock it.

Would blocking the listed domains at your firewall prevent the encryption from occuring, since the public/private key pair would not be able to be generated? If so, is anyone tracking what domains are used (ie, is the list above all inclusive and the people responsible aren't adding new domains to the list dynamically)?

As far as I am aware, the encryption only starts if a public key has been acquired from the crooks, which mean the malware has to be online and have "called home." There is no offline mode.

Of course, blocking the domains should always be a last ditch protection, as it means the malware is already running and perilously close to trouble…stopping the malicious EXE from launching in the first place is your best solution.

We track the list and try to block it – it's not static, by the way, so it has a new list of 1000 domains each day. You can calculate each day's list, so it's not entirely *random*, but it isn't exactly *static* either :-(

The malware reads the timestamp on a file before it encrypts it, and sets it back afterwards. So you can't look only for files that were modified recently.

Why don't you find a file you know is encrypted now, and load a copy of that file, and that file only, from your last N backups? If you find the file is encrypted in your backup, you know you need to go back further…

The encryption depends on the number of files. How long does your backup take? The malware is going to take about that long or less…

We are using Sophos UTM. Does a pretty good job of blocking access to malicious/suspicious sites. Even trying to grab a tool that can be used to write policy to prevent execution of exe in the appdata areas is blocked with normal settings.

So, that raises the question of getting an infection and the result of and or “if” sophos blocks access to suspicious sites. will that mitigate infection results?

People write they’ve been “hit”, but actually, unless there really is a malware backdoor, this is a “virus” which relies on someone being dumb enough to open an attachment in an email without checking the extension. Reminds me of the old joke about the lazy virus programmer who just sent out an email saying “This is a virus, but I am not a very good programmer. Please format your hard-drive.”.

Part of the problem is the stupid “feature” in windows of hiding extensions – ever since it was introduced I set all computers within my power to display extensions, as well as hidden and system files.

The biggest victims of this new threat happen to be medium to large sized enterprises. I am a systems analyst for a company out here in Columbia, MD and we have been having alot of our users coming to me with cryptolocker infections. We are getting 1 new cryptolocker ticket per week and this is the most sophisticated virus of its kind. I'm looking at a laptop right now that is infected. Your files and data are held hostage. I mean, a ransomware that uses PKI pretty much renders the infected party at the mercy of the attacker because only they have the private key. Once that key is destroyed you are pretty much outta luck. These guys are crooks so they already have no credibility. Who is to say that after you pay the ransom that they'll honor their end of the bargain and give you the right decryption code.

Has anyone here paid the money and gotten their files back?? I'd like to hear from you if so. y.lowery[at]gmail[dot]com

I'm a pc user and not as tech savvy as those posting here. I bet there are a lot of people like me who need some xtra help.

Ques: I have a popular anti-virus/malware security and firewall, am I likely to be protected?

If a friend/someone sends me an email with a link, IF I use it will I get infected or does their and my security check it?

I do not have an external Hard drive, would backups be done with USB Flash drives, etc. ?

OK, Hope yall don't mind my simple questions, but I intend to beat this Malware ! ha.
Thank YOu, I did learn a lot from the article AND the subsequent posts. That is how I'm learning, but these ques still come up. Appreciate any replies and hope you're not infected. damn malware and the people who create it !

This sounds like a rather fun virus I must say. Nasty little creature.

Now here's a question: Why are the domain names that the virus tries to access and are listed still actually going to the proper servers? The owners of the domains are engaged in illegal activities which virtually every domain registrar has stipulations concerning in their user agreements (that you check the box on) when you buy the domain. Couldn't the domains simply be forwarded somewhere else or disabled? A takedown request for those domains shouldn't be too difficult.

I got infected with this malware about a month ago. I had two people using my computer, and since it's a little nothing machine with games and other entertainment only. Nothing I couldn't easily replace. I went to my son's account and it was OK. So I used his account to do system erasure and took the machine back to factory condition. That's an easy solution for those who have no irreplaceable vital data.encrypted. But, holy smokes folks, just back up everything. That's the real answer.

We received this on a client machine – Windows server with Shared Files (106 Gb) – This will require hours to restore, and we are not sure which machine infected it. This sucks big time…hope they trace this to the dudes and hit them hard!!!! Navy Seals and Delta are standing by!!!

There goes my weekend!!!

Well, this will probably lose our client for us…even though the stupid users most likely clicked on the link!!!!

If it is using known registry entry to store the public key for encryption, what about preinstalling the registry entry then restrict access to it. Then it is not able to store its encryption key and can not encrypt the users files.

If it uses this key, HKCU\Software\CryptoLocker\Public Key , then create this key before infection and lock it so it can not be used. Would that not thwart it?

We don’t advise doing this. It might work for a bit but a) we can’t be sure of the unintended consequences and b) if it does work it will work until it doesn’t – malware does not stand still and you can expect that, if it were successful, a simple countermeasure would be dealt with in subsequent versions.

As Chester Wisniewski put it: “Registry manipulation is not a reliable technique for dealing with Cryptolocker. A broken clock is right twice a day, but you would be a fool to rely on it.”

Your best chance of stopping it from infecting your systems is up to date anti-virus and your only chance of recovery is to take regular backups.

Im no programmer, but could we not as a community setup an alternative option… Just thinking of distributed computing efforts of distributed.net & SETI… RSA2048 is a B**ch to crack with one pc… but what about 1000, 10000, 100,000? Just wondering what kind of power you would need to do this?

Actually, instead of cracking one key, use the distributed computing power to generate rainbow tables. Not sure how long it would take to gen those tables for RSA2048, but every cycle devoted to cracking would at least be towards the common good of everyone involved.

There are 300 million people in america. How long would it take a million desktop PC’s to make those tables? (if they don’t already exist)

And if we got some corps with high powered servers to donate spare cycles, then how long?

The solution to this is obvious: Run data recovery (foremost/photorec, etc) and get back all “deleted” files. Forget decrypting the copies, find the “deleted” originals!

It takes time to copy and encrypt many files. Therefore, this malware probably can’t start deleting files until it is done encrypting them, for fear of discovery. That would prevent any files from being overwritten unless the extra time to “shred” them is taken.

If the malware “deletes” each file immediately after encryption, at least some files still would not be overwritten and could be recovered. I have not seen the offending software, but I would not want to write attack code against an enemy that risked showing itself with the first file it tampered with, presumably neither would these gangsters.

Lastly, don’t ever pay or you are part of the problem. Since I have multiple offline backups that are never auto-synced, I would simply wipe the disk, reinstall from my last known good OS image, and copy back all my files from backup. That is, if anyone ever ported this crap to Linux in the first place…

If you don’t have backups, you WILL lose your files, just the cause of loss will probably be a hard drive failure or severe filesystem corruption. Shit happens, for everyone who had unbacked up files held hostage, hundreds lost them to simple failures. Back your files up today, and shut those wallets!

I keep seeing this crap on UNIX. You need to get educated. UNIX, AIX, HP-AIX and LINUX systems are no loner exempt from attacks. Windows is more susceptible but you’d better be taking precautions with your UNIX systems as well.

I was hit with the Cryptolocker. We are financial firm. Unfortunately, I didn’t have the proper IT procedures in place to prevent this. Users are dumb. That’s the simple fact and one of mine just clicked on the link. She left for vacation with her computer on and after 3 days the system had encrypted her files. The worse part is that the Networkfile share got corrupted and our replication server corrupted those as well.

We paid the ransom and we did receive back our files but it was a scare event.Feel free to contact me if you would like.

Just make sure your run keys are protected so that nothing can be installed. Its the first place malware tries to inveigle itself into.

When i first started as a security analyst ten years a go this was the very first thing i ever did and I have never had a virus infection – I also dont run an AV the only thing I use now is Spyware Terminator and its not bad at all – Sophos as an AV would be one of my choices for a client. The guys that work for Sophos are the dogs bollox.

Use autoruns to find all the vectors for malware install – it doesnt show all but its pretty comprehensive then use registry editor or group policy to lock it all downj – its not actually brain surgery.